Saturday, September 15, 2007

Academic Spying

The New York Times has a front-page article today about couples spying on each other's email, webpage-viewing history, and cell phone use. This is non-news to most people, but what about academic e-spying?

The most serious incident I've had to deal with involved a postdoc's reading (and making copies of) my email and other computer files, but that was 7-8 years ago -- before computer security was taken as seriously as it is today. The postdoc (referred to in previous posts as 'the criminally insane postdoc') was fired, but because of that e-spying episode and another incident, my feelings towards internet communications can be fairly described as 'paranoid'.

I am not extreme about it -- for example, I am fond of internet shopping, and dozens of internet commerce sites have my credit card numbers stored on them. Furthermore, if I were completely paranoid, I probably wouldn't have this blog. When it comes to using the internet to communicate, though, I am less trusting. I suppose this is good in a way because it would discourage me from writing rude and salacious things in email messages, were I so inclined.

Some of my colleagues worry about internet security when sending or receiving reference letters. I have had a few students read paper copies of reference letters I had written for them (in one case this involved the student's opening a sealed envelope with my signature across the flap). And, as I've written before, sometimes people are shown their reference letters for tenure or promotion even when the letters are supposed to be confidential. Therefore, letters on paper are not necessarily more secure than electronic letters.

There are enough ways for academics to 'steal' (borrow) ideas and data without resorting to e-spying, so I imagine that such activities are mostly the realm of the crazies and the maliciously paranoid. But I could be wrong..

9 comments:

I don't know, one of my postdoc advisors had a bunch of data disappear off a Windows machine while I was working there. He was convinced that one of his former postdocs (now a professor at Harvard) had hacked in and erased it.

At the time I just thought it was sheer computer ignorance, since they weren't very good about backing anything up. And it's, you know, Microsoft. Prone to frequent crashings, especially since they were running all different versions on all the lab computers, it was a disaster waiting to happen.

Anyway to help combat further hack-ins, he insisted that everyone install firewall software after that, which was a good idea even if the root motivation was irrational. And then proceeded to look at the number of attempted hits per day, as further proof that many many evil people were trying to steal our stuff.

In retrospect, this particular example of paranoid craziness should have been a tipoff... though I don't know, maybe he was right and that particular postdoc both could and would do something like that.

This summer, one of my colleagues was teaching a 3-hr summer course using power point and at the regular break time when students get 15 minutes to run get coffee, etc., she left the room for just a few minutes to go to the nearby restroom. When she came back, she noticed that some of the students seemed a bit funny or uncomfortable, but it wasn't until the class was over that she found out why. A student revealed to her that while she (the prof.) was gone at break, another student had used a flash drive to copy all (?), some(?) files, including notes and tests, off her computer. Can you imagine? And this class full of students sat by and watched--some finding it humorous, others apparently nonplussed. My colleague ended up calling the police, who confronted the student at her apartment later that night, but the shock and sense of violation lingers.

No, actually federal law specifically allows access to one's educational records, including application and recommendation files, unless one has signed a waiver. It's generally not polite to wave the letters around until after the process, but I think we've had the discussion on your blog regarding some professors having their students write their own recommendations in the first place as it is.

It's interesting that you'll trade so much personal information on the internet but not do much communication via email, as you say? Do you see those as different things inherently? Does one seem less risky?

well...it isn't really SPYING but the cases where reviewers steal ideas from proposals are all too common. And difficult to prove! That has happened to me more than once, and probably to you as well! It is sort of spying though, because its stealing a PROPOSED idea which is being reviewed in a confidential way.

I agree with anonymous who pointed out that scientific espionage is easily accomplished when one reviews papers or sits on study sections. And there's also the grapevine of colleagues who pass along information on your competitors' work that they've seen at conferences. No technology required!

Having said that, I set my lab computer to go to a password-protected screen-saver after two minutes of no activity.

The student had to have my letter with my signature across the sealed flap in order to be considered for the program to which s/he was applying and didn't realize that just putting the letter in a new envelope wasn't going work.

For secure communications, twin-key encryption is the only way to do it. The software is readily available, has been tested to destruction multiple times (the SSH family is based around it), and is cryptographically secure.

For PC systems, if you want something to remain secure, use something like AES-256 bit encryption, and power down the machine (or at least unmount that volume) when you're away.

DO NOT rely on someone not being able to get past Windows security; if the data ain't encrypted, then it is a simple matter of booting the machine with a Linux-on-a-CD disk, and simply reading the data that way. If someone has access to the hardware, then everything on the hardware can be copied and if it ain't encrypted, it'll get read.

Go read some of the internet resources on security (and the lack thereof in Microsoft products) and learn; modern encryption, if used properly, is pretty much unbreakable and is certainly enough to defeat any private individual.

About Me

I am a full professor in a physical sciences field at a large research university. I am married and have a teenaged daughter.
I have the greatest job in the world, but this will not stop me from noting some of the more puzzling and stressful aspects of my career as a science professor.
E-mail (can't promise to reply): femalescienceprofessor@gmail.com